Blog for hpHosts, and whatever else I feel like writing about ....

Saturday 27 June 2009

Google serving Michael Jackson related malware

It should come as no surprise that when a tragedy happens, the criminals online, are immediately looking for ways to exploit such. The tragedy of Michaels passing is no different.

I was keeping an eye on Google for the last 48 or so hours to see what would come up, and there's literally a plethora of malware infections waiting for you. For example, lets take the following, which claims;

Michael Jackson (Death Photo) - Vox
26 Jun 2009 ... Blog 15 just almost body Southern Michael Jackson short final Email above ... music Site top Michael dominates Michael Hoax once his -- earlier to buried ... Lombard (Farrah Fawcett Playboy Video)Michael Jackson (Death ...
marylinrsscolumn.vox.com/.../michael-jackson-death-photo-1.html?_... - 17 hours ago


Loading the site shows us that (surprise surprise) it claims to be a video, and tries to make us believe the video has been posted by a real person;



Not surprisingly, if you click on this video, you're taken to a fake AV (vURL Results: http://vurl.mysteryfcm.co.uk/?url=690869);

1. video.xmancer.org/go.php?sid=1&name=michael+jackson&hostingtype=vox&theme=trends&category=&from=videoplayer

2. greatrewards.org/xstat/go.php?sid=1&name=

3. alls-tube-here.com/xplays.php?id=40014&name=

4. softportal-files.com/streamviewer.40014.exe (85K - ac0743191768749085e7806810a7efd4)

Sadly, detection for this particular variant is seriously lacking, with VT showing only 2 vendors detecting it;

http://www.virustotal.com/analisis/47e70bb33771451699cc65b171b8894a34f578023821449f6d278147f3106869-1246133921

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.6.34
Date: Sat, 27 Jun 2009 20:11:40 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.9
Location: http://greatrewards.org/xstat/go.php?sid=1&name=
Content-Length: 0

HTTP/1.1 302 Found
Date: Sat, 27 Jun 2009 20:11:42 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Set-Cookie: schema1=true; expires=Sat, 04-Jul-2009 20:11:42 GMT
Set-Cookie: visited1=5; expires=Sat, 04-Jul-2009 20:11:42 GMT
Referer: http://vurl.mysteryfcm.co.uk
Location: http://alls-tube-here.com/xplays.php?id=40014&name=
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

HTTP/1.1 200 OK
Date: Sat, 27 Jun 2009 20:11:39 GMT
Server: Apache/1.3.39 (Unix) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Set-Cookie: PHPSESSID=a3c13dc8d583c237792077cd1c8639c8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html


What is surprising, is that alot of those I checked (especially the *.blogspot.com sites), pointed to sites that had already been shut down.

Either way, this is going to get worse as the days go on, and it should be noted, it's not only search terms associated with Michael Jackson or Farrah Fawcet that are affected - these malicious links are in almost ALL results, irrespective of search terms (start at the last page of the results, that's where they tend to lie).

Be careful out there folks, and ensure you're surfing with ActiveX DISABLED (and unless the site absolutely requires it, scripts should be disabled too, aswell as META REFRESH).

/edit

ThreatExpert report for the variant mentioned above.

http://www.threatexpert.com/report.aspx?md5=ac0743191768749085e7806810a7efd4

No comments: